Implementing anti-abuse techniques on ISP networks....

Christopher Masto chris at
Thu Aug 7 15:27:31 UTC 1997

On Wed, Aug 06, 1997 at 04:00:14PM -0700, J.D. Falk wrote:
> > I don't know about the "huge players", but we're an Internet Service
> > Provider, not an Internet Blockage Provider.  We don't allow spoofing,
> > and we don't allow relaying, but we're not about to put filters
> > to prevent dialup customers from connecting wherever they want.
> 	How 'bout to stop them from connection wherever they want,
> 	spoofing their IP address so it looks like it's your box at
> 	home that's hacking into the NSA instead of them?
> 	This is an extreme example, but hopefully it illustrates the
> 	reason that a little simple filtering is a Good Thing[TM].

In as much as filtering each dial-up port to only allow packets from
its own source address is an operational issue.. :-)  I said "we don't
allow spoofing".

Operational question: will a Livingston Portmaster allow source IP
spoofing?  That is, if you have been given an address of x, can you
send a packet from y?  If the answer is "yes" (and I can think of a
reason or two why it should be), and given the current implementation
of RADIUS and its method of supplying filter rules, one immediate
solution comes to mind.  Set up a filter rule for every possible IP
address that may be assigned, and have the RADIUS server supply the
rule that goes with the Framed-IP-Address.  Hmmm.
= Christopher Masto        = chris at =  =
= NetMonger Communications = finger for  PGP key = $19.95/mo unlimited access =
= Director of Operations   =   (516)  221-6664 	 = mailto:info at  =

v---(cut here)---v
    yourname at
    "Keep in mind that anything Kibo says makes a great sig."  -- Kibo
^---(cut here)---^

More information about the NANOG mailing list